CONFIG_SCSI_MPT2SAS and CONFIG_SCSI_MPT3SAS both point to the same driver for PCI-Express SAS 12Gb/s Host Adapters. Make loadable instead of built-in by default as not all use cases need these. We initially made these built-in with the initial distrobution of CBL-Mariner and not by specific request.
CONFIG_PATA_LEGACY supports PATA (Parallel ATA) the older parallel connected bus (those using ribbon cable). Make loadable instead of built-in by default.
Enable CONFIG_PARAVIRT_SPINLOCK. Performance improvement. Changes the spinlock mechanism for virtualized environments to "something virtualization-friendly". This is recommended by upstream default.
Enable CONFIG_X86_KERNEL_IBT. A security feature to protect against indirect branch tracking. The kernel IBT defense strongly mitigates the common "first step" of ROP attacks, by eliminating arbitrary stack pivots. It is now a recommended default. Should not impact hardware which does not support it.
Enable CONFIG_X86_CET. Selected by CONFIG_X86_KERNEL_IBT
Enable USB HID support for AMD. This feature allows devices to use the HIDDEV API. "The two big examples for this are power devices (especially uninterruptible power supplies) and monitor control on higher end monitors."
Enable the module ch341. This is being added as an optional loadable module to support using a Winchiphead CH341 single port USB to serial adapter.
Enable USB Test and Measurement Class driver as a loadable kernel
module. This module is used for many USB devices that meet the USB Test
and Measurement device specification, like HW and Power Analyzers.
Signed-off-by: Chris Co <chrco@microsoft.com>
Enable Multipath TCP (MPTCP) to allow using multiple interface paths to send and receive TCP packets for improving throughput and redundancy.
Signed-off-by: Chris Co <chrco@microsoft.com>
Enable the Extended Verification Module (EVM) support to allow the verification of security-related extended attributes like SELinux file labels or IMA hash
Signed-off-by: Chris Co <chrco@microsoft.com>
Co-authored-by: Chris Co <chrco@microsoft.com>
Enable FS-verity and Integrity Policy Enforcement LSM. These are useful security features that users/services can leverage to better secure their system.
Signed-off-by: Chris Co <chrco@microsoft.com>
Add DMI sysfs and EROFS module support. Additionally hooks for Secure Boot with dm-verity verification.
These kconfigs will also be necessary to onboard Azure Linux into upstream systemd's CI testing.
Signed-off-by: Chris Co <chrco@microsoft.com>
Moving batch of configs that were built-in to be modules to maintain flexibility, though reduce kernel size and boot speed.
These modules are already set as modules on x86 and only targeted to change on arm64.
Signed-off-by: Kelsey Steele <kelseysteele@microsoft.com>
TPM Event log does not appear to be passed to the kernel when Secure Boot is enforcing. To restore this critical functionality, revert back to our previous 2.06 grub2 which has this support and all SBAT-related CVEs patched.
This reverts commit 26d9bca
Enable the secondary keyring for partners to enroll their own key which is used to sign and validate kernel modules for a specific project. This limits the trust of modules built and signed by partners to their respective images and products.
- Add kernel-uki-signed.spec
- Add systemd-boot-signed.spec
- kernel-uki: Install UKI EFI binary under /boot and create a symlink to it under /lib/modules/$(uname -r)/
Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com>
- kernel-uki: include i18n dracut module so UKI systemd-vconsole-setup service works
- toolkit: add support for partition type UUID
- imageconfigs: add CVM image definition
Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com>
Co-authored-by: Dan Streetman <ddstreet@microsoft.com>
Rachel Menge
jozzsi
Christopher Co
CBL-Mariner-Bot
Daniel McIlvaney
Thien Trung Vuong
Kelsey Steele
Gary Swalling
J Camposeco
George Mileka
Sriram Nambakam
Dan Streetman
Cameron E Baird
Mykhailo Bykhovtsev
Chris Gunn
Vince Perri
CBL-Mariner Servicing Account
Muhammad Falak R Wani
Dan Streetman